Abstract
The depletion of the unallocated IPv4 addresses and the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, the trading of allocated IPv4 prefixes between organizations. Despite the policies established by RIRs to regulate the IPv4 transfer market, IPv4 transfers pose an opportunity for malicious networks, such as spammers and bulletproof ASes, to bypass reputational penalties by obtaining “clean” IPv4 address space or by offloading blacklisted addresses. Additionally, IP transfers create a window of uncertainty about the legitimate ownership of prefixes, which leads to inconsistencies in WHOIS records and routing advertisements. In this paper we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild, by synthesizing an array of longitudinal IP blacklists, honeypot data, and AS reputation lists. Our findings yield evidence that transferred IPv4 address blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicate efforts to evade filtering mechanisms.
Highlights
The depletion of the unallocated IPv4 addresses combined with the slow transition to IPv6 has led to the emergence of a secondary market for ownership transfers of IPv4 addresses
96% of the IPv4 addresses are exchanged within the same registry and most of these IP transactions occur within the North America region, while 85% of the inter-RIR transfers originate from ARIN
In this paper we present a first comprehensive measurement study of malicious activities within the transferred IPv4 address space and the networks that are involved in the IPv4 market
Summary
The depletion of the unallocated IPv4 addresses combined with the slow transition to IPv6 has led to the emergence of a secondary market for ownership transfers of IPv4 addresses. Since RIRs are unable to allocate additional IPv4 addresses, many network operators try to prolong the lifespan of IPv4 by buying address space allocated to other networks, which has led to the emergence of a secondary IP market This market has been characterized as murky [43], due to the lack of transparency and mechanisms to authenticate the ownership of IP space. RIPE, in contrast to its intra-RIR policy, requires inter-RIR buyers to document the utilization of at least 50% of the transferred address space for five years. These regulations do not apply in the case of transfers that occur due to mergers and acquisitions. To the best of our knowledge, no prior work has studied the IPv4 transfer market from the perspective of fraudulent behavior and misuse
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
